Privacy policy

This policy explains what personal data is processed by Rozero Digital, MB (hereinafter — "Rozero") in its function as custodian of one encrypted cryptographic key share within the Everfair network, and what rights data subjects have under the General Data Protection Regulation (EU) 2016/679 (GDPR).

1. Rozero's role and data controller

Everfair is a decentralized network supported by many independent participants and is not a legal entity that would process personal data in the GDPR sense. There is therefore no classic controller–processor (GDPR Art. 28) relationship between Rozero and Everfair.

Rozero Digital, MB acts as an independent data controller for the data covered by this policy:

• the mapping wallet address ↔ country code + personal / company code (see Section 2.2);
• audit logs of disclosures to authorities (see Section 5);
• contact data of its own employees, partner representatives and website visitors.

Rozero holds one encrypted Shamir key share as a technical custodian. The ciphertext in isolation is not identifiable personal data — it becomes usable only when combined with another (2 of 7) share.

KYC/KYB identity data (name, surname, documents, biometrics, company registration data) is processed in its own infrastructure by an accredited KYC/KYB provider of the Everfair network (currently — Sumsub Ltd.; may be replaced with another accredited partner) under separate agreements with users — Rozero does not receive or store it.

2. Data Rozero processes

2.1. Encrypted key share

• An encrypted binary block — one Shamir Secret Sharing share out of seven, belonging to Rozero's position in the Everfair 2-of-7 recovery scheme.
• This block is not by itself readable and does not identify a specific person without additional information held by other Everfair participants and by the KYC/KYB provider.
• Stored together with technical metadata: share identifier, creation timestamp, version, cryptographic checksum.

2.2. Wallet address ↔ personal / company code mapping

• To fulfil its lawful disclosure obligation (see Section 5), Rozero stores the minimum required mapping: Everfair wallet address → country code (ISO 3166-1, e.g. LT, EE, US) + national personal identification code (in Lithuania — asmens kodas) or legal entity registration number.
• The personal code is stored encrypted with AES-256-GCM; the encryption key is split using a Shamir 2/3 scheme between Rozero Digital, the Everfair vault and an independent legal escrow. No single Rozero employee can decrypt the data unilaterally.
• Rozero does not store names, surnames, dates of birth (as a separate field), residential addresses, phone numbers, email addresses or identity documents.
• The personal code does not on its own confer identity to Rozero — it becomes an authoritative identifier only in the state register, to which Rozero has no access.

2.3. Audit logs

• Request and response metadata: date, request type, quorum participants, authorisation indicators, outcome.
• For authority requests additionally: authority, legal basis, scope of information disclosed.

2.4. B2B and website data

• Contact details of Everfair, partner and authority representatives (name, role, email, phone) — for contractual communication.
• Web server logs: IP address, user agent, requested URL, timestamp — for security and incident investigation.

3. What Rozero does NOT process

• User names, surnames, dates of birth (as a separate field), residential addresses, phone numbers, email addresses.
• Images or metadata of identity documents.
• Biometric data (face image, liveness check results, etc.).
• PEP, sanctions or adverse-media screening results.
• User transaction amounts or wallet balances.

These data are processed by separate parties: the accredited KYC/KYB provider of the Everfair network (currently — Sumsub; may be replaced with another accredited partner) and the Everfair network.

4. Legal basis for processing

• Art. 6(1)(b) GDPR — performance of the contract with Everfair (key share custody).
• Art. 6(1)(c) GDPR — compliance with a legal obligation (disclosure to authorities upon a court order).
• Art. 6(1)(f) GDPR — legitimate interest in ensuring network security, fraud prevention and audit trail.

5. Disclosure to authorities

Rozero, as the Lithuanian-registered legal point of contact, upon receipt of a valid Lithuanian court order, prosecutor's decision or decision of a competent authority, provides the authority, for the wallet address in question, with only two data items:

• the country code (ISO 3166-1, e.g. LT);
• the national personal or company identification code.

Rozero cannot provide any further information about the user, because no further information is held. The authority itself establishes the user's identity (name, address, etc.) through state registers, to which Rozero has no access.

Each disclosure is recorded in an immutable audit log.

5.1. International legal cooperation

Foreign law-enforcement agencies do not contact Rozero directly. International cooperation flows through established channels and ends with a Lithuanian national act issued by a court or prosecutor:

• EU Member States — European Investigation Order (EIO) under Directive 2014/41/EU, submitted to the competent Lithuanian authority, which forwards it to Rozero for execution.
• Third countries — via a Mutual Legal Assistance Treaty (MLAT) or diplomatic channel. The foreign agency's request reaches the Lithuanian Prosecutor General's Office or Ministry of Justice through its own central authority, which then initiates a national procedure and issues a Lithuanian order.
• Emergency cases (imminent threat to life, child exploitation) — expedited disclosure is possible under the Lithuanian Code of Criminal Procedure and the AML Law, with mandatory retrospective judicial review.

Disclosure is carried out under the Lithuanian Code of Criminal Procedure, the Law on the Prevention of Money Laundering and Terrorist Financing, EU Directive 2014/41/EU, applicable international treaties and other applicable acts.

6. Retention periods

• Encrypted key share and disclosure index — for the duration of the contract with Everfair, while the user has not been deleted from the network.
• Audit logs — for no less than required by applicable law (typically 8 years under AML rules).
• Web server logs — up to 12 months.

7. Data subject rights

The data subject (an Everfair user) has the right to:

• be informed about processing;
• access the data processed;
• request rectification of inaccurate data;
• request erasure where the processing basis ceases and there is no obligation to retain the data;
• restrict processing;
• file a complaint with the State Data Protection Inspectorate of Lithuania (vdai.lrv.lt).

Because Rozero stores only a minimal mapping (wallet address + country code + encrypted personal / company code) and an encrypted Shamir share, requests concerning full identity data (name, documents, biometrics) should be addressed to the KYC provider (currently — Sumsub), which holds such data under separate agreements.

8. Security

• Separate infrastructure, isolated from Everfair and from the other share custodians.
• HTTPS with strict security headers (HSTS, CSP, X-Frame-Options).
• SSH access by keys only, firewall, automatic security updates, intrusion-attempt monitoring.
• Audit logs protected against modification.

9. Contact

For data-processing matters: info@rozero.digital, or see the contact page.

Policy version: 2026-04. The policy may be updated; the current version is on this page.